CIS 2352 (Ethical Hacking)

Penetration testing is the practice of finding vulnerabilities and risks with the purpose of securing a computer or network. Penetration testing falls under which all-encompassing term?

Answer

Ethical hacking

Heather is performing a penetration test. She has gathered a lot of valuable information about her target already. Heather has used some hacking tools to determine that, on her target network, a computer named Production Workstation has port 445 open. Which step in the ethical hacking methodology is Heather performing?

Scanning and enumeration

Which of the following is the third step in the ethical hacking methodology?

Gain access

Miguel is performing a penetration test on his client's web-based application. Which penetration test frameworks should Miguel utilize?

Open Web Security Application Project (OWASP)

The penetration testing life cycle is a common methodology used when performing a penetration test. This methodology is almost identical to the ethical hacking methodology. Which of the following is the key difference between these methodologies?

Reporting

You are executing an attack in order to simulate an outside attack. Which type of penetration test are you performing?

Black box

Which of the following best describes a gray box penetration test?

The ethical hacker has partial information about the target or network.

Randy was just hired as a penetration tester for the red team. Which of the following best describes the red team?

Performs offensive security tasks to test the network's security.

The Stuxnet worm was discovered in 2010 and was used to gain sensitive information on Iran's industrial infrastructure. This worm was probably active for about five years before being discovered. During this time, the attacker had access to the target. Which type of attack was Stuxnet?

Advanced Persistent Threat (APT)

Which type of threat actor only uses skills and knowledge for defensive purposes?

White hat

\
A white hat is a skilled hacker who uses their skills and knowledge for defensive purposes only. Many organizations and companies now employ these security analysts, who understand the hacker's mindset.

The gray hat hacker falls in the middle of the white hat and black hat hackers. The gray hat may cross the line of what is ethical, but usually has good intentions and isn't being malicious like a black hat hacker.

A hacktivist often targets government agencies, corporations, or any entity they are protesting.

A script kiddie only uses tools and scripts that have been developed by others. This person has no desire to understand how these tools work and is extremely unskilled.

Which statement best describes a suicide hacker?

This hacker is only concerned with taking down their target for a cause. They have no concerns about being caught.

Miguel has been practicing his hacking skills. He has discovered a vulnerability on a system that he did not have permission to attack. Once Miguel discovered the vulnerability, he anonymously alerted the owner and instructed him how to secure the system. What type of hacker is Miguel in this scenario?

Gray hat

\
A gray hat hacker falls in the middle of the white hat and black hat hackers. The gray hat may cross ethical lines, but usually has good intentions and isn't being malicious like a black hat hacker.

A white hat is a skilled hacker who uses their skills and knowledge for defensive purposes only. Many organizations and companies employ these security analysts, who understand the hacker's mindset.

A state-sponsored hacker works for a government and attempts to gain top-secret information by hacking other governments.

A script kiddie only uses tools and scripts that have been developed by others. This person has no desire to understand how these tools work and is extremely unskilled.

The process of analyzing an organization's security and determining its security holes is known as:

Threat modeling

\
Threat modeling is the process of analyzing an organization's security and determining its security holes. Once a threat model is put together, the organization can begin securing its systems and data.

Penetration testing is the practice of finding vulnerabilities and risks with the purpose of securing the computer or network system.

Ethical hacking is an all-embracing term that includes all hacking methods.

Extracting information such as usernames, computer names, network resources, shares, and services is called enumeration.

Which of the following documents details exactly what can be tested during a penetration test?

Scope of Work

\
The scope of work is a very detailed document that defines exactly what software, and hardware, test types, and facility features are going to be included in the penetration test. This document is also referred to as the statement of work.

The rules of engagement document details how the test will be carried out.

The master service agreement is a contract where parties agree to most of the terms that will govern future actions.

The non-disclosure agreement is a common legal contract outlining confidential material or information that will be shared during the assessment and what restrictions are placed on it.

After performing a risk assessment, an organization must decide what areas of operation can be included in a penetration test and what areas cannot be included. Which of the following describes the process?

Tolerance

You are performing a penetration test of a local area network (LAN). Refer to the circled area on the network diagram. network. Which of the following types of penetration tests is being performed?

Internal

\
An internal test will focus on any systems that logically resides behind the firewall. These can be off-site or on-site.

An external test will focus on any publicly facing system, such as a web server that resides in the DMZ.

A black box test means that the ethical hacker has no information about the target or network.

A gray box test means that the ethical hacker is given partial information about the network and computer systems.

Miguel is performing a penetration test on a web server. Miguel was given only the server's IP address and name. Which of the following best describes the type of penetration test Miguel is performing?

Answer

External

Which of the following elements is generally considered the weakest link in an organization's security?

Human

Which of the following best describes social engineering?

The art of deceiving and manipulating others into doing what you want.

Which of the following is considered a mission-critical application?

Medical database

What does an organization do to identify areas of vulnerability within their network and security systems?

Risk assessment

\
The purpose of a risk assessment is to identify areas of vulnerability within the organization's network. The risk assessment should look at all areas, including high value data, network systems, web applications, online information, and physical security, including operating systems and web servers. This is done before beginning a penetration test.

An internal test focuses on any systems that logically reside behind the firewall. These can be offsite or onsite.

An external test focuses on any publicly facing system, such as a web server that resides in the DMZ.

Scanning is the second step in the hacking process. The ethical hacker uses various tools to gather in-depth information about the network, computer systems, live systems, and open ports.

During a risk assessment, the organization determines that the risk of collecting personal data from its customers is not acceptable and stops. What method of dealing with risk is the organization using?

Answer

Avoidance

The following formula defines which method of dealing with risk?

**Cost of Risk > Damage = Risk _________**

Acceptance

Which of the following is a consideration when scheduling a penetration test?

Answer

Who is aware of the test?

\
The rules of engagement must specify who is aware of the penetration test and its time frame. The less people who know, the more realistic the test will be.

The scope of work will spell out which systems are included in the penetration test.

A security exception is any deviation from standard operating security protocols.

Risk acceptance occurs when the organization determines that the cost and effort to mitigate a risk outweighs the risk's potential damage, so they simply accept the risk.

A client asking for small deviations from the scope of work is called:

Scope creep

Heather is in the middle of performing a penetration test when her client asks her to also check the security of an additional server. Which of the following documents does she need to submit before performing the additional task?

Change order

\
When a change to the scope of work is requested, a change order should be filled out and agreed on. Once this is done, the additional tasks can be completed.

The rules of engagement document details how the test will be carried out.

The scope of work is a very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work.

The permission to test is often referred to as the get-out-of-jail-free card. Since most people in the client's organization will not know about the penetration test occurring, this document is used if the penetration tester gets caught.

Which of the following is a deviation from standard operating security protocols?

Security exception

Miguel is performing a penetration test. His client needs to add Miguel's computer to the list of devices allowed to connect to the network. What type of security exception is this?

Whitelisting

Which type of penetration test is required to ensure an organization is following federal laws and regulations?

Compliance-based

\
Compliance-based penetration tests are required to ensure an organization follows federal laws and regulations.

A goal-based penetration test focuses on end results. The test's goals are specific, but the methods for reaching them are determined by the hacker himself.

An objective-based test focuses on the overall security of the organization and its data security. When people think of a penetration test, this is often what they think of.

A white box test occurs when an ethical hacker is given full information about the target or network.

Which of the following defines the security standards for any organization that handles cardholder information for any type of payment card?

PCI DSS

\
The Payment Card Industry Data Security Standards (PCI DSS) defines the security standards for any organization that handles cardholder information for debit cards, credit cards, prepaid cards, and any other type of payment cards.

The Health Insurance Portability and Accountability Act (HIPPA) was created as health records and data started being stored electronically. Its goal is to create a set of standards that would ensure this information is kept safe and is only shared with the patient and medical professionals that need it.

The Digital Millennium Copyright Act (DMCA) was enacted in 1998 to protect copyrighted works.

The Federal Information Security Management Act (FISMA) was signed into law in 2002 and defines how federal government data, operations, and assets are handled.

Michael is performing a penetration test for a hospital. Which federal regulation does Michael need to ensure he follows?

HIPAA

\
The Health Insurance Portability and Accountability Act (HIPPA) was created as health records and data started being stored electronically. Its goal is to create a set of standards that would ensure this information is kept safe and is only shared with the patient and medical professionals that need it.

The Payment Card Industry Data Security Standards (PCI DSS) defines the security standards for any organization that handles cardholder information for debit cards, credit cards, prepaid cards, and any other type of payment cards.

The Digital Millennium Copyright Act (DMCA) was enacted in 1998 to protect copyrighted works.

The Federal Information Security Management Act (FISMA) was signed into law in 2002 and defines how federal government data, operations, and assets are handled.

Charles found a song he wrote being used without his permission in a video on YouTube. Which law will help him protect his work?

DMCA

\
The Digital Millennium Copyright Act (DMCA) was enacted in 1998 to protect copyrighted works.

The Payment Card Industry Data Security Standards (PCI DSS) defines the security standards for any organization that handles cardholder information for debit cards, credit cards, prepaid cards, and any other type of payment cards.

The Health Insurance Portability and Accountability Act (HIPPA) was created as health records and data started being stored electronically. Its goal is to create a set of standards that would ensure this information is kept safe and is only shared with the patient and medical professionals that need it.

The Federal Information Security Management Act (FISMA) was signed into law in 2002 and defines how federal government data, operations, and assets are handled.

Which of the following best describes what FISMA does?

Defines how federal government data, operations, and assets are handled.

\
The Federal Information Security Management Act (FISMA) was signed into law in 2002 and defines how federal government data, operations, and assets are handled.

The Sarbanes Oxley Act (SOX) was enacted in 2002 with the goal of implementing accounting and disclosure requirements that would increase transparency in corporate governance and financial reporting and formalize a system of internal checks and balances.

The Payment Card Industry Data Security Standards (PCI DSS) defines the security standards for any organization that handles cardholder information for debit cards, credit cards, prepaid cards, and any other type of payment cards.

The Health Insurance Portability and Accountability Act (HIPPA) was created as health records and data started being stored electronically. Its goal is to create a set of standards that ensure this information is kept safe and is only shared with the patient and medical professionals that need it.

Which of the following best describes what SOX does?

Implements accounting and disclosure requirements that increase transparency.

\
The Sarbanes Oxley Act (SOX) was enacted in 2002 with the goal of implementing accounting and disclosure requirements that would increase transparency in corporate governance and financial reporting and formalize a system of internal checks and balances.

The Federal Information Security Management Act (FISMA) was signed into law in 2002 and defined how federal government data, operations, and assets were handled.

The Payment Card Industry Data Security Standards (PCI DSS) defines the security standards for any organization that handles cardholder information for debit cards, credit cards, prepaid cards, and any other type of payment cards.

The Health Insurance Portability and Accountability Act (HIPPA) was created as businesses began storing health records and data electronically. HIPPA's goal is to create a set of standards that ensure medical information is kept safe and is only shared with the patient and medical professionals that need it.

Which of the following is a limitation of relying on regulations?

They rely heavily on password policies.

\
One of the drawbacks to many federal regulations is that they rely heavily on password policies, which are often outdated.

Federal regulations are not updated regularly and can fall behind accepted best practices.

Federal regulations take precedence over industry standards because they're mandated by the government.

Federal regulations are very defined and can limit security management options.

Which of the following best describes a goal-based penetration test?

Focuses on the end results. The hacker determines the methods.

A goal-based penetration test needs to have specific goals. Using SMART goals is extremely useful for this. What does SMART stand for?

Specific/Measurable/Attainable/Relevant/Timely

Which document explains the details of an objective-based test?

Scope of work

\
The scope of work is a very detailed document that defines exactly what is going to be included in a penetration test. This document is also referred to as the statement of work.

When a change to the scope of work is requested, a change order should be filled out and agreed on by all pertinent stakeholders. Once this is done, the additional tasks can be completed.

The rules of engagement document details how the test will be carried out.

The permission to test is often referred to as the get-out-of-jail-free card. Since most people in the client's organization will not know about the penetration test occurring, this document is used if the penetration tester gets caught.

Which of the following best describes a supply chain?

A company provides materials to another company to manufacture a product.

\
A supply chain is set up when materials from one company are needed from another to manufacture a product.

A company may work with a store to stock their products to be sold, but this is not a supply chain.

Oftentimes, companies use a third-party distribution center to ship sold products to customers, but this is not a supply chain.

Some online retailers, such as Amazon, do sometimes act as a distribution center for sellers, but this is not a supply chain because Amazon is not using the sellers' materials to create a new product.

Heather has been hired to work in a firm's cybersecurity division. Her role will include performing both offensive and defensive tasks. Which of the following roles applies to Heather?

A member of the purple team.

\
The purple team is a mix of red and blue team members. They basically act as a pipeline between the two teams and can work on either side.

The red team consistently works against the blue team to test the organization's security stance, while the blue team focuses on the organization's defensive security. The red team is responsible for establishing and implementing policies and closing vulnerabilities.

A black hat hacker is a skilled hacker who uses skills and knowledge for illegal or malicious purposes.

A gray hat hacker may cross the line of what is ethical, but usually has good intentions and isn't malicious like a black hat hacker.

ABC company is in the process of merging with XYZ company. As part of the merger, a penetration test has been recommended. Testing the network systems, physical security, and data security have all been included in the scope of work. What else should be included in the scope of work?

Answer

Company culture

\
During the premerger, areas such as physical security, data security, company culture, and network systems need to be tested. A penetration test during this phase can help identify shortcomings and large differences that if left unattended could lead to disastrous results after the merger or acquisition.

Email and password policies are already included in the network systems test.

Employee IDs are included in the physical security test.

Hannah is working on the scope of work with her client. During the planning, she discovers that some of the servers are cloud-based servers. Which of the following should she do?

Add the cloud host to the scope of work

During an authorized penetration test, Michael discovered his client's financial records. Which of the following should he do?

Ignore the records and move on.

\
During a penetration test, the ethical hacker will run across or gain access to highly sensitive data. This could include clients' financial information, customer data, passwords, and more. In this situation, the hacker is expected to keep this information confidential and not view any more than is necessary for reporting purposes. 

The penetration tester has no reason to make a backup of the records.

The penetration tester should not continue digging and look for illegal activity.

The penetration tester should not sell or divulge any information.

During a penetration test, Heidi runs into an ethical situation she's never faced before and is unsure how to proceed. Which of the following should she do?

Reach out to an attorney for legal advice.

What are the rules and regulations defined and put in place by an organization called?

Corporate policies

\
Corporate policies are the rules and regulations that are defined and put in place by an organization. As part of the risk assessment and penetration test, these policies should be reviewed and tested.

The master service agreement is a contract where parties agree to the terms that will govern future actions. This makes future services and contracts much easier to handle and define.

The rules of engagement define exactly how work will be carried out.

The scope of work is a very detailed document that defines exactly what is going to be included in the penetration test. This document is also called a statement of work.

Which of the following is a common corporate policy that would be reviewed during a penetration test?

Password policy

\
The password policy will usually state how many and what types of characters a password should contain. The policy will also state when the password can be changed.

Meeting policies and procedures would not be reviewed during a penetration test.

Purchasing policies and procedures would not be reviewed during a penetration test.

Parking policies and procedures would not be reviewed during a penetration test.

Which of the following policies would cover what you should do in case of a data breach?

Answer

Sensitive data handling policy

\
The policy for handling sensitive data should detail who has access to data, how data is secured, and what to do if an unauthorized person gains access to the data.

The password policy usually states how many and what types of characters a password should contain. The policy also states when the password can be changed.

How often and when updates are pushed out to computers should be defined in the organization's policies.  This update schedule needs to be frequent enough to ensure that the network systems have the latest security patches and should not impact business operations.

Corporate policies are the rules and regulations that have been defined and put in place by the organization. As part of the risk assessment and penetration test, these policies should be reviewed and tested.

Yesenia was recently terminated from her position, where she was using her personal cell phone for business purposes. Upon termination, her phone was remotely wiped. Which of the following corporate policies allows this action?

BYOD policy

\
The BYOD policy must define the level of access employees have to company hardware and data and state clearly what happens on termination of employment. Usually, when an employee leaves the company, the device can be remotely wiped, and the employee needs to understand that they are giving the organization rights and access to do this.

The password policy will usually state how many and what type of characters a password should contain. The policy will also state when the password can be changed. 

How often and when updates are pushed out to computers should be defined in the organization's policies.  This update schedule needs to be frequent enough to ensure that the network systems have the latest security patches and should not impact business operations.

Corporate policies are the rules and regulations that have been defined and put in place by the organization. As part of the risk assessment and penetration test, these policies should be reviewed and tested.

During a penetration test, Mitch discovers the following on a client's computer.

* Instructions for creating a bomb
* Emails threatening a public official
* Maps to the officials home and office

Which of the following actions should he take?

Immediately stop the test and report the finding to the authorities.

Heather is working for a cybersecurity firm based in Florida. She will be conducting a remote penetration test for her client, who is based in Utah. Which state's laws and regulations will she need to adhere to?

A lawyer should be consulted on which laws to adhere to and both parties agree.

\
The laws that govern computer usage and hacking can vary from state to state. When this occurs, the penetration tester and the organization need to agree on which set of laws they will adhere to. Whenever there are any questions or concerns regarding laws and regulations, a lawyer should be consulted.

United States Code Title 18, Chapter 47, Section 1029 deals with which of the following?

Fraud and related activity involving access devices.

\
Section 1029 refers to fraud and related activity involving access devices. An access device is defined as any application or hardware that is created specifically to generate any type of access credentials.

Section 1030 refers to fraud and related activity with computers. This section covers pretty much any device that connects to a network.

Section 1028A refers to fraud and related activity related to identity theft.

Section 1037 refers to fraud and related activity involving electronic mail.

Which of the following best describes the Wassenaar Arrangement?

An agreement between 41 countries to enforce similar export controls for weapons, including intrusion software.

\
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is an agreement between 41 countries that generally hold similar views on human rights. The arrangement encourages the participating countries to hold similar export controls on weapons, including banning some and requiring licensing for others. This also includes intrusion software.

The Payment Card Industry Data Security Standards (PCI DSS) defines the security standards for any organization that handles cardholder information for debit cards, credit cards, prepaid cards, and really any other type of payment cards.

The Federal Information Security Management Act (FISMA) was signed into law in 2002 and defines how federal government data, operations, and assets are handled.

The Health Insurance Portability and Accountability Act (HIPPA) was created as health records and data started being stored electronically. Its goal is to create a set of standards that ensure information is kept safe and is only shared with the patient and medical professionals that need it.

Which of the following best describes the rules of engagement document?

Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data.

\
The rules of engagement define if the test will be a white box, gray box, or black box test.  It should also explicitly state how to handle sensitive data and outline a process for communicating with the IT department about any issues that may arise during the test.

The scope of work is a very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work. This document should answer the who, what, when, where, and why of the test.

The master service agreement is a contract where parties agree to most of the terms that will govern future actions. This makes future services and contracts much easier to handle and define.

The permission to test is used as a last resort if the penetration tester is caught in the scope of their work. This get-out-of-jail-free card explains what the penetration tester is doing and that his work is authorized.

Which of the following best describes a master service agreement?

A contract where parties agree to the terms that will govern future actions.

\
The master service agreement is a contract where parties agree to the terms that will govern future actions. This makes future services and contracts much easier to handle and define.

The rules of engagement define whether the test will be a white box, gray box, or black box test. It should also explicitly state how to handle sensitive data and how to work with the IT department if issues arise during the test.

The scope of work is a very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work. It should explain the who, what, when, where, and why of test.

The permission to test is used as a last resort if the penetration tester is caught in the scope of their work. This get-out-of-jail-free card explains what the penetration tester is doing and that his work is authorized.

Which of the following best describes a non-disclosure agreement?

A common legal contract outlining confidential material that will be shared during the assessment.   

During a penetration test, Dylan is caught testing the physical security. Which document should Dylan have on his person to avoid being arrested?

Permission to test

Social engineers are master manipulators. Which of the following are tactics they might use?

Moral obligation, ignorance, and threatening

\
Social engineers are master manipulators. Some of the most popular tactics they use are moral obligation, innate human trust, threatening, an easy reward, and ignorance.

Social engineering attacks include shoulder surfing, eavesdropping, USB and keyloggers, spam and spim, and hoaxes.

Which of the following best describes a script kiddie?

A hacker who uses scripts written by much more talented individuals.

Any attack involving human interaction of some kind is referred to as:

Social engineering

\
Social engineering refers to any attack involving human interaction of some kind. Attackers who use social engineering try to convince a victim to perform actions or give out information they wouldn't under normal circumstances.

An opportunistic attack is typically automated and involves scanning a wide range of systems for known vulnerabilities, such as old software, exposed ports, poorly secured networks, and default configurations.

A white hat hacker helps companies find vulnerabilities in their security.

Social engineers are master manipulators and use multiple tactics on their victims.

Using a fictitious scenario to persuade someone to perform an action or give information they aren't authorized to share is called:

Pretexting

\
Pretexting is using a fictitious scenario to persuade someone to perform an action or give information they aren't authorized to share.

Footprinting is similar to stalking but in a social engineering context.

Preloading is influencing a target's thoughts, opinions, and emotions before something happens.

Impersonation is pretending to be somebody else and approaching a target to extract information.

Ron, a hacker, wants to get access to a prestigious law firm he has been watching for a while. June, an administrative assistant at the law firm, is having lunch at the food court around the corner from her office. Ron notices that June has a picture of a dog on her phone. He casually walks by and starts a conversation about dogs. Which phase of the social engineering process is Ron in?

Development phase

\
The development phase involves two parts: selecting individual targets within a company and forming a relationship with those individuals.

The exploitation phase is when the attacker takes advantage of the relationship with the victim and uses the victim to extract information, obtain access, or accomplish the attacker's purposes in some way.

The research phase is when the attacker starts gathering information about the target company or organization.

Elicitation is a technique used to extract information from a target without arousing suspicion.

You are instant messaging a coworker, and you get a malicious link. Which type of social engineering attack is this?

Spim

\
Spim is a malicious link sent to the target over instant messaging.

Email hoaxes trick a target into sharing sensitive information with an attacker.

Spam emails include a malicious embedded URL or banner ads that entice users to click them.

Shoulder surfing involves looking over someone's shoulder while they work on a computer to see usernames, passwords, or account numbers.

Brandon is helping Fred with his computer. He needs Fred to enter his username and password into the system. Fred enters the username and password while Brandon is watching him. Brandon explains to Fred that it is not a good idea to allow anyone to watch you type in usernames or passwords. Which type of social engineering attack is Fred referring to?

Shoulder surfing

\
Shoulder surfing involves looking over someone's shoulder while they work on a computer to see usernames, passwords, or account numbers.

Eavesdropping is when an unauthorized person listens to conversations when employees or other authorized personnel are discussing sensitive topics.

Social engineers often employ keyloggers to capture usernames and passwords. As the target logs in, the username and password are saved.

Spam is an email that includes a malicious embedded URL or a banner ad that entices the user to click on it. Spim is a malicious link sent to the target over instant messaging instead of email.

Which of the following best describes an inside attacker?

An unintentional threat actor; the most common threat.

\
An insider could be a customer, a janitor, or even a security guard, but most of the time, it's an employee. Employees pose one of the biggest threats to any organization. An unintentional threat actor is the most common insider threat.

A hacker is any threat agent who uses their technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information.

A white hat hacker is a good guy who tries to help a company see the vulnerabilities that exist in their security.

Attacks from nation states are generally extremely well-supported and funded.

Compliments, misinformation, feigning ignorance, and being a good listener are tactics of which social engineering technique?

Elictitation

\
Elicitation is a technique that aims to extract information from a target without arousing suspicion. Some of the elicitation tactics are giving compliments, delivering misinformation, feigning ignorance, and being a good listener.

Preloading is used to set up a target by influencing the target's thoughts, opinions, and emotions.

In the interrogation phase, the attacker talks to the target about their statements.

Impersonation is pretending to be trustworthy and approaching the target to ask them for sensitive information or convincing a target to grant a hacker access to protected systems.

You get a call from one of your best customers. The customer is asking about your company's employees, teams, and managers. What should you do?

You should not provide any information and forward the call to the help desk.

\
Every employee in the company should be taught that if somebody calls them and claims to be someone who needs employee information, especially usernames and passwords, they should forward that call to the help desk.

Jason is at home, attempting to access the website for his music store. When he goes to the website, it has a simple form asking for name, email, and phone number. This is not the music store website. Jason is sure the website has been hacked. How did the attacker accomplish this hack?

Answer

DNS cache poisoning

\
In DNS cache poisoning, the attacker launches the attack on the chosen DNS server. Then, the attacker changes a target website's IP address to a fake website. When the user enters the target website's URL, the DNS server redirects them to the fake IP address modified by the attacker and then to a fake website controlled by the attacker.

In host file modification, the attacker sends a malicious code as an email attachment. When the user opens the attachment, the malicious code executes and modifies local host files on the user's computer.

Many social engineers use applications such as Facebook, Twitter, and Instagram to gather information and steal identities among other nefarious acts, but no social media is involved in this attack.

An attacker feigning ignorance might make a wrong statement and then admit to not knowing much about the subject, but that event does not occur in this attack scenario.

An attack that targets senior executives and high-profile victims is referred to as:

Whaling

\
Whaling is another form of phishing that targets senior executives and high-profile victims.

Pharming involves the attacker executing malicious programs on the target's computer so that when the user enters any URL, it redirects traffic to the attacker's malicious website.

Vishing is like phishing, but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing.

Scrubbing is one of the most common ways to pick a lock.

You are a security consultant and have been hired to evaluate an organization's physical security practices. All employees must pass through a locked door to enter the main work area. Access is restricted using a biometric fingerprint lock.

A receptionist is located next to the locked door in the reception area. She uses an iPad application to log any security events that may occur. She also uses her iPad to complete work tasks as assigned by the organization's CEO.

What could you do to add an additional layer of security to this organization?

Train the receptionist to keep her iPad in a locked drawer.

\
In this scenario, the best option to add an additional layer of security is to train the receptionist to keep her iPad in a locked drawer.

In this scenario, moving the receptionist's desk into the secured area would defeat the purpose; only employees would have to access the receptionist.

Biometrics are already in place in this scenario. 

All companies should require users to use workstation screensaver passwords. In this scenario, the receptionist does not have a workstation.

While reviewing video files from your organization's security cameras, you notice a suspicious person using piggybacking to gain access to your building. The individual in question did not have a security badge.

Which of the following would you most likely implement to keep this from happening in the future?

Mantraps

\
You could implement mantraps at each entrance to the facility to mitigate piggybacking. A mantrap is a specialized entrance with two doors that creates a security buffer zone between two areas. Once a person enters into the space between the doors, both doors are locked. To enter the facility, authentication must be provided. If authentication is not provided, the intruder is kept in the mantrap until authorities arrive.

Scrubbing involves holding a lock with a tension wrench and quickly scraping the lock pins with a pick.

Cable locks are used to secure computer hardware.

An anti-passback system prevents a cardholder from passing their card back to someone else.

Implementing emergency lighting that runs on protected power and automatically switches on when the main power goes off is part of which physical control?

Employee and visitor safety

\
As you implement physical security, be sure to keep the safety of employees and visitors in mind. Consider the importance of the following actions:

* Implement adequate lighting in parking lots and around employee entrances.
* Implement emergency lighting that runs on protected power and automatically switches on when the main power goes off.
* Implement fail-open locking systems that allow employees to exit your facility quickly in the event of an emergency.
* Devise escape plans that utilize the best escape routes for each area in your organization. Post these escape plans in prominent locations.
* Conduct emergency drills to verify that the physical safety and security measures you have implemented function correctly.

You can implement physical access controls inside the facility as follows:

* Physical controls may include key fobs, swipe cards, or badges.
* Physical controls may include biometric factors such as fingerprint scanners, retinal scanners, iris scanners, voice recognition, and facial recognition.
* To control access to sensitive areas within the facility, require a card swipe or reader.
* Some systems can track personnel movement within a facility and proactively lock or unlock doors based on the access token device.
* An anti-passback system prevents a card holder from passing a card back to someone else.
* Physical controls are often implemented along with sensors and alarms to detect unauthorized access.

Perimeter barriers physically secure a building's perimeter and restrict access to only secure entry points.

Physical access logs are implemented by facility guards and require everyone gaining access to the facility to sign in upon entry.

Closed-circuit television can be used as both a preventative tool (to monitor live events) or as an investigative tool (to record events for later playback). Which camera is more vandal-resistant than other cameras?

A dome camera

\
A dome camera, which is a camera protected with a plastic or glass dome, is more vandal-resistant than other cameras.

A c-mount camera has interchangeable lenses and is typically rectangle in shape with the lens on the end. Most c-mount cameras require a special housing to be used outdoors.

A Pan Tilt Zoom (PTZ) camera lets you dynamically move the camera and zoom in on specific areas (cameras without PTZ capabilities are manually set looking toward a specific direction).

A bullet camera has a built-in lens and is long and round in shape. Most bullet cameras can be used indoors or outdoors.

Important aspects of physical security include which of the following?

Preventing interruptions of computer services caused by problems such as fire.

\
Important aspects of physical security include:

* Restricting physical access to facilities and computer systems.
* Preventing interruptions of computer services caused by problems such as loss of power or fire.
* Preventing unauthorized disclosure of information.
* Disposing of sensitive material.
* Protecting the interior and exterior of your facility.

Detection is identifying what was broken into, what is missing, and the extent of the damage.

Preloading is influencing the target's thoughts, opinions, and emotions before something happens.

Implement adequate lighting in parking lots and around employee entrances are control measures for employee and visitor safety. 

What are the three factors to keep in mind with physical security?

Prevention, detection, and recovery

\
There are three factors to keep in mind with physical security:

* Prevention is making the location less appealing to hackers.
* Detection is identifying what was broken into, what is missing, and the extent of the damage.
* Recovery is reviewing the physical security procedures, repairing any damage, and hardening the physical security of the company against future problems.

A person in a dark grey hoodie has jumped the fence at your research center. A security guard has detained this person, denying him physical access. Which of the following areas of physical security is the security guard currently in?

Security sequence

\
The security sequence area of physical security should be deployed in the following sequence. If a step in the sequence fails, the next step should implement itself automatically.


1. Deter initial access attempts.
2. Deny direct physical access.
3. Detect the intrusion.
4. Delay the violator to allow for response.

When designing physical security, implement a layered defense system. A layered defense system is one in which controls are implemented at each layer to ensure that defeating one level of security does not allow an attacker subsequent access.

There are three security factors to keep in mind with physical security: prevention, detection, and recovery.

Physical controls are measures you take to physical secure a building, secure the perimeter, and restrict access to only secure entry points.

Which of the following best describes a lock shim?

A thin, stiff piece of metal.

\
A lock shim is a tool that is, basically, a thin, stiff piece of metal that can be inserted into the latch of a padlock.

A bump key is cut to the number nine position, which is the lowest possible cut.

A pick is a small, angled, and pointed tool kind of like a dentist pick.

One of the most common ways to pick a lock is called scrubbing. This method involves holding the lock with a tension wrench while the pins are scraped quickly with the pick.

On her way to work, Angela accidentally left her backpack with a company laptop at the coffee shop. What type of threat has she caused the company?

Man-made threat

\
Human threats can be outsiders or insiders, so it can be tricky to safeguard against them all. Man-made threats include:

* Theft
* Vandalism
* Destruction

Environmental threats are natural disasters such as floods, fires, hurricanes, and other types of extreme weather.

An external threat is a threat originating outside a company, government agency, or institution.

Cloud threats are against the cloud services. The cloud is susceptible to many threats.

The U.S. Department of Commerce has an agency with the goal of protecting organizational operations, assets, and individuals from threats such as malicious cyber-attacks, natural disasters, structural failures, and human errors. Which of the following agencies was created for this purpose?

Answer

NIST

\
To protect data from threats and attacks, the U.S. Department of Commerce created the National Institute of Standards and Technology (NIST). NIST has released a special publication referred to as the NIST SP 800-53, which details security controls and assessment procedures that companies and organizations should implement to protect the integrity of their information systems. This document's goal is to protect organizational operations, assets, and individuals from many different kinds of threats, such as malicious cyberattacks, natural disasters, structural failures, and human errors.

The National Vulnerability Database (NVD) was originally created in 2000 and is a government-sponsored, detailed database of known vulnerabilities.

JPCERT is Japan's CERT organization. It provides security alerts and Japanese Vulnerability Notes (JVN).

CAPEC is a dictionary of known patterns of cyberattacks used by hackers.

Which type of attack involves changing the boot order on a PC so that the hacker can gain access to the computer by bypassing the install operating system?

Physical attack

\
Physical security is the protection of corporate assets including property, facilities, equipment, and personnel from damage, theft, or harm. Physical attacks include items such as cold boot attacks, badge cloning, and BIOS access attacks.

An opportunistic attack is typically automated and involves scanning a wide range of systems for known vulnerabilities such as old software, exposed ports, poorly secured networks, and default configurations.

One thing to remember is that human threats can be outsiders or insiders, so it can be tricky to safeguard against them all. Man-made threats include theft, vandalism, and destruction.

Environmental threats are natural disasters such as floods, fires, hurricanes, and other types of extreme weather.

You have implemented a regular backup schedule for a Windows system, backing up data files every night and creating a system image backup once per week. For security reasons, your company has decided not to store a redundant copy of the backup media at an off-site location. Which of the following would be the best backup and storage option?

Use incremental backups and store them in a locked fireproof safe.

\
Incremental backups back up every file that's changed since the last full or incremental backup. If you can't store backups at an off-site location, you should make sure that the backups are locked up and that measures are taken to protect the backups from a disaster.

Differential backups back every file that's changed since the last full backup.

Strategies such as locking the backups in a different room, keeping them on a shelf, or storing them in a drawer would not protect the backup against natural disasters.

You are in the process of implementing policies and procedures that require employee identification. You observe employees holding a secure door for others to pass through. Which of the following training sessions should you implement to help prevent this in the future?

How to prevent piggybacking and tailgating.

\
Piggybacking implies that the person who has opened the door with their credentials knows that others are following them in through the secure door. 

Tailgating means that others are following through the door without the knowledge of the person who has opened the door.

ID badges are a great and easy way to identify who is authorized to be in a given area. Employees should be trained to:

* Wear their badge at all times.
* Respond appropriately if they encounter a person without a badge.
* Prevent piggybacking and tailgating.
* Never share their ID badge with anyone.

You have a set of DVD-RW discs that were used to archive files from your latest project. You need to prevent the sensitive  information on the discs from being compromised. Which of the following methods should you use to destroy the data?

Shred the discs.

\
To completely prevent reading data from discs, destroy them using a DVD shredder or crushing.

Degaussing only works for magnetic media such as floppy and hard disk drives.

Simply deleting data offers little protection.

Overwriting the data is not efficient in this scenario as the discs can simply be destroyed

Which of the following best describes a physical barrier used to deter an aggressive intruder?

Answer

Large flowerpots

\
Just as ID badges are an easy way to identify people, bollards are an easy physical barrier to deter aggressive intruders. Bollards can be small straight concrete pillars, flat barricades, ball shaped pieces of concrete, large flowerpots, or even cement picnic tables. The idea is to prevent attackers from forcing themselves in by driving through an exterior wall or door.

A double-entry door has two doors that are locked from the outside but have crash bars on the inside that allow easy exit. Double-entry doors are typically used only for emergency exits, and alarms sound when the doors are opened.

An anti-passback system prevents a card holder from passing their card back to someone else.

In an alarmed carrier PDS , the welds and/or glue used to secure a hardened carrier are replaced with an electronic alarm system that can detect attempts to compromise the carrier and access the protected cable within it.  

Joe, a bookkeeper, works in a cubicle environment and is often called away from his desk. Joe doesn't want to sign out of his computer each time he leaves. Which of the following is the best solutions for securing Joe's workstation?

Configure the screen saver to require a password.

\
The best solution is to configure the screen saver or screen lock to be applied after a short period of nonuse and to require a password to return to the desktop.

Setting a strong password will not secure his computer when he is called away. Setting a strong password is a best practice.

Applying multifactor authentication will make it harder to hack the workstation. However; this will not secure his computer when he is called away.

Changing the default account names and passwords will not make his workstation more secure when he is called away.

When a penetration tester starts gathering details about employees, vendors, business processes, and physical security, which phase of testing are they in?

Reconnaissance

\
During the reconnaissance phase, you gather information about a company. In addition to technical information, you'll want to gather details about employees, vendors, business processes, and physical security.

During the scanning phase, you gather additional technical information about your target, more specifically, the systems that they have in place.

During the gaining access phase, you take control of one or more network devices and either extract data from the target or use that device to launch attacks on other targets.

During the covering tracks phase, you take the steps necessary to remove evidence of your attack.

Which of the following elements of penetration testing includes the use of web surfing, social engineering, dumpster diving, and social networking?

Information gathering techniques

\
During the reconnaissance phase, you gather information by reading a company's website, getting to know their employees, or dumpster diving.

Before beginning work of any kind, an ethical hacker needs to obtain written documentation granting permission from the customer.

During the reconnaissance phase, you gather information about a company. In addition to technical information, you'll want to gather details about employees, vendors, business processes, and physical security.

Maintaining access is taking steps to be persistently within the target environment to gather as much data as possible.

MinJu, a penetration tester, is testing a client's security. She notices that every Wednesday, a few employees go to a nearby bar for happy hour. She goes to the bar and starts befriending one of the employees with the intention of learning the employee's personal information. Which information gathering technique is MinJu using?

Answer

Social engineering

\
Social engineering is an attempt to get to know a company's employees or vendors. After-work social gatherings can provide important tidbits of information about an employee and about a company, especially its weaknesses.

Despite our highly technical society, dumpster diving is still a viable hacking option. It's not the most glamorous method. But, in some instances, it may be very effective for finding employee names, account numbers, client names, and vendor information.

Web surfing can help you research company websites, social media, discussion groups, financial reports, and news articles. If you follow the breadcrumbs, you can find some pretty interesting information about an organization online.

Social networking is what you do after you've located employee names. You can extend your search to LinkedIn, Facebook, Instagram, Twitter, or People Search to learn even more information about a company, a vendor, or an employee.

A penetration tester is trying to extract employee information during the reconnaissance phase. What kinds of data is the tester collecting about the employees?

Contact names, phone numbers, email addresses, fax numbers, and addresses

\
During the reconnaissance phase, you gather information about a company. For employee information, the penetration tester collects contact names, phone numbers, email addresses, fax numbers, and addresses for any individuals associated with the target company.

For information systems, the tester collects information about the operating systems, applications, security policies, and network mapping.

For operations, the tester collects information about intellectual property, critical business functions, and management hierarchy.

For physical security, the tester collects information about geographical location and sorroundings, entry control systems, employee routines, and vendor traffic.

Which of the following is the difference between an ethical hacker and a criminal hacker?

An ethical hacker has permission to hack a system, and a criminal hacker doesn't have permission.

\
The difference between an ethical hacker and a criminal hacker is that an ethical hacker always obtains permission to hack a system.

Whois, Nslookup, and ARIN are all examples of:

Network footprinting tools

\
Website and email footprinting can provide details on information flow, operating systems, filenames, and network connections. Whois, nslookup, and ARIN are examples of footprinting tools.

Despite its name, Google hacking is legal because all of the results are pulled from public websites. By adding a few operators, you can use the Google search engine to provide filtered information about a specific topic. A few of the operators include *info:website, link:website, related:website, index of /keyword, intitle:keyword,* and *allinurl:keywords*.

Internet research tools include Google Earth, Google Maps, Webcams, Echosec, Maltego, and Wayback Machine.

IoT hacking tools include Censys, Zniffer, Shodan, Thingful, and beSTORM.

Iggy, a penetration tester,  is conducting a black box penetration test. He wants to do reconnaissance by gathering information about ownership, IP addresses, domain name, locations, and server types. Which of the following tools would be most helpful?

Whois

\
Whois is a utility used to gain information about a target network. It can gather information about ownership, IP addresses, domain name, location, server type, and the date the site was created.

ARIN is a website that will provide you with information about a network's name, range, origination dates, and server details.

Nslookup is a utility used to query DNS servers to obtain information about the host network including DNS records and host names.

beSTORM is a smart fuzzer that finds buffer overflow weaknesses as it automates and documents the process of delivering malicious input and then watches for unpredicted responses from an application.

What does the Google Search operator *allinurl:keywords* do?

Shows results in pages that contain all of the listed keywords.

\
*allinurl:keywords* shows results in pages that contain all of the listed keywords.

*index of /keyword* displays websites where directory browsing has been enabled.

*intitle:keyword* shows results in pages that contain the keyword in the title.

*related:website* displays websites similar to the one listed.

What's the name of the open-source forensics tool that can be used to pull information from social media postings and find relationships between companies, people, email addresses, and other information?

Maltego

\
Maltego is an open-source forensics tool that can be used to pull information from social media postings and find relationships between companies, people, email addresses, and other information.

The Wayback Machine is a non-profit catalog of old site snapshots and may contain information that your target thought they had removed from the internet.

Echosec is a tool that can be used to pull information from social media postings that were made using location services. You can select a location on a map and view all posts that have occurred at that location. These results can be filtered by user, date, or keyword.

Google Earth is a satellite imagery tool that provides current and historical images of most locations. Images can date back several decades.

Xavier is doing reconnaissance. He is gathering information about a company and its employees by going through their social media content. Xavier is using a tool that pulls information from social media postings that were made using location services. What is the name of this tool?

Echosec

\
Echosec is a tool that can be used to pull information from social media postings that were made using location services.

The Wayback Machine is a nonprofit catalog of old site snapshots and may contain information that your target thought they had removed from the internet.

Google Maps is a web mapping service that provides a street view of houses, businesses, roadways, and topologies.

Maltego is an open-source forensics tool that can be used to pull information from social media postings and find relationships between companies, people, email addresses, and other information.

You are in the reconnaissance phase at the XYZ company. You want to use nmap to scan for open ports and use a parameter to scan the 1,000 most common ports. Which nmap command would you use?

**nmap -sS xyzcompany.com**

\
\-sS TCP SYN port scan (default) scans the 1,000 most common ports.

\-sV attempts to determine the version of the service running on port.

\-sT TCP connects a port scan (default without root privilege).

\-sA executes a TCP ACK port scan.

You have found the IP address of a host to be 172.125.68.30. You want to see what other hosts are available on the network. Which of the following nmap commands would you enter to do a ping sweep?

**nmap -sn 172.125.68. 1-255**

\
The **nmap -sn** command is used to disable port scanning. The command **nmap -sn 172.125.8. 1-225** will scan a range of ip addresses without listing the ports. 

The **nmap -sS** command is used for a TCP SYN port scan (default).

The **nmap -sU** command is used for UDP port scans.

The **nmap -sM** command is used for TCP Maimon port scans.

Which of the following services is most targeted during the reconnaissance phase of a hacking attack?

DNS

\
The DNS service is one of the most popular internet services targeted during the reconnaissance phase.

The DHCP service is usually attacked during the gaining access stage.

TLS is a cryptographic protocol, not a service targeted during the reconnaissance phase of a hacking attack.

DoS, or denial-of-service, is a type of attack that prevents legitimate users from accessing computer systems, not a service targeted during the reconnaissance phase of an attack.

Dan wants to implement reconnaissance countermeasures to help protect his DNS service. Which of the following actions should he take?

Install patches against known vulnerabilities and clean up out-of-date zones, files, users, and groups.

\
Installing patches against known vulnerabilities and cleaning up out-of-date zones, files, users, and groups are good DNS reconnaissance countermeasures.

Reviewing company websites to see what type of information is being shared about sensitive information is conforming to an internet information sharing policy.

Implementing policies that restrict the sharing of sensitive company information on employees' personal social media pages is conforming to an employee social media information sharing policy.

Limiting the sharing of critical information in press releases, annual reports, product catalogs, and marketing materials is conforming to a printed materials information sharing policy.

Julie configures two DNS servers, one internal and one external, with authoritative zones for the corpnet.xyz domain. One DNS server directs external clients to an external server. The other DNS server directs internal clients to an internal server. Which of the following DNS countermeasures is she implementing?

Split DNS

\
A split DNS is implemented with two DNS servers configured to be authoritative for the same domain, one on the external network and one on the internal network.

A proxy server is an intermediary server that separates end users from the websites they browse and is not a DNS countermeasure.

A DNS propagation is a process used by DNS servers when a DNS record changes and is not a DNS countermeasure.

An information sharing policy is a reconnaissance countermeasure but is not a DNS countermeasure.

Which of the following information sharing policies addresses the sharing of critical information in press releases, annual reports, product catalogs, and marketing materials?

A printed materials policy

\
A printed material information sharing policy would limit the sharing of critical information in press releases, annual reports, product catalogs, and marketing materials.

An internet information sharing policy would require a review of company websites to see what type of information is being shared about sensitive information.

A company social media information sharing policy would provide guidelines regarding the types of posts that are made to the company's social media site.

An employee social media information sharing policy would restrict the sharing of sensitive company information on an employee's personal social media page. This could include product information, customer or vendor information, employee information, or even pictures of the organization.